Chapter 55. EPSS: A Modern Approach to Vulnerability Management
Aruneesh Salhotra
Making good predictions and intelligently foreseeing what might happen next before acting is crucial for decision making. These goals are also essential in managing security risks.
Cybersecurity is a high-stakes race, and the winner is the one who finds the weakness first. Most security professionals work against the clock to find and fix system holes before opportunistic malicious actors exploit them.
Traditional Approaches Are Dated
Traditional vulnerability management approaches, such as the Common Vulnerability Scoring System (CVSS), are increasingly facing scalability challenges in today’s rapidly evolving cybersecurity landscape.
The core issue with CVSS lies in its static nature: it assigns a severity score to vulnerabilities based on a fixed set of criteria without considering the dynamic context of each organization’s unique network environment. These traditional approaches don’t account for the ever-changing tactics of threat actors, making it challenging to prioritize vulnerabilities based on real-world threat intelligence.
According to research by the Forum of Incident Response and Security Teams (FIRST), businesses and technology vendors fix only 5%–20% of vulnerabilities every month. Yet only 2%–7% of vulnerabilities are ever exploited. But which ones should we focus on remediating ...
Get 97 Things Every Application Security Professional Should Know now with the O’Reilly learning platform.
O’Reilly members experience books, live events, courses curated by job role, and more from O’Reilly and nearly 200 top publishers.
